Presentation on theme: "GT 4 Security Goals & Plans Sam Meder"— Presentation transcript:
GT 4 Security Goals & Plans Sam Meder (firstname.lastname@example.org)
The Ultimate Goal u Enable secure cross-organizational interactions l Least privilege rights delegation l Support for multiple mechanisms -> translation l Virtual Organization security fabric u Membership u Policy u etc l …
Trust Mismatch Mechanism Mismatch Multi-Institution Issues Certification Authority Certification Authority Domain A Server X Server Y Policy Authority Policy Authority Task Domain B Sub-Domain A1 Sub-Domain B1 No Cross- Domain Trust
Why Grid Security is Hard l Resources being used may be valuable & the problems being solved sensitive u Both users and resources need to be careful l Dynamic formation and management of virtual organizations (VOs) u Large, dynamic, unpredictable… l VO Resources and users are often located in distinct administrative domains u Cant assume cross-organizational trust agreements u Different mechanisms & credentials l X.509 vs Kerberos, SSL vs GSSAPI, X.509 vs. X.509 (different domains), l X.509 attribute certs vs SAML assertions
Why Grid Security is Hard… l Interactions are not just client/server, but service-to-service on behalf of the user u Requires delegation of rights by user to service u Services may be dynamically instantiated l Standardization of interfaces to allow for discovery, negotiation and use l Implementation must be broadly available & applicable u Standard, well-tested, well-understood protocols; integrated with wide variety of tools l Policy from sites, VO, users need to be combined u Varying formats l Want to hide as much as possible from applications!
The Grid Trust solution l Instead of setting up trust relationships at the organizational level (lots of overhead, possible legalities - expensive!) set up trust at the user/resource level l Virtual Organizations (VOs) for multi-user collaborations u Federate through mutually trusted services u Local policy authorities rule l Users able to set up dynamic trust domains u Personal collection of resources working together based on trust of user
Grid Solution: Use Virtual Organization as Bridge Certification Domain A GSI Certification Authority Sub-Domain B1 Authority Federation Service Virtual Organization Domain No Cross- Domain Trust
Effective Policy Governing Access Within A Collaboration
Use Delegation to Establish Dynamic Distributed System Compute Center VO Rights Compute Center Service
Goal is to do this with arbitrary mechanisms Compute Center VO Rights Compute Center Service Kerberos/ WS-Security X.509/SSL SAML Attribute X.509 AC SAML Attribute X.509 AC
Security of Grid Brokering Services It is expected brokers will handle resource coordination for users Each Organization enforces its own access policy User needs to delegate rights to broker which may need to delegate to services QoS/QoP Negotiation and multi-level delegation
Propagation of Requesters Rights through Job Scheduling and Submission Process Dynamically limit the Delegated Rights more as Job specifics become clear Trust parties downstream to limit rights for you… or let them come back with job specifics such that you can limit them Virtualization complicates Least Privilege Delegation of Rights
Grid Security must address… l Trust between resources without organization support l Bridging differences between mechanisms u Authentication, assertions, policy… l Allow for controlled sharing of resources u Delegation from site to VO l Allow for coordination of shared resources u Delegation from VO to users, users to resources l...all with dynamic, distributed user communities and least privilege.
Functional Capabilities Authentication service: An authentication service is concerned with verifying proof of an asserted identity. Identity mapping service: The identity mapping service provides the capability of transforming an identity that exists in one identity domain into a identity within another identity domain. Authorization service: The authorization service is concerned with resolving a policy based access control decision. Credential Conversion service: The credential conversion service provides credential conversion between one type of credential to another type or form of credential. Audit service: The audit service is responsible for producing records, which track security relevant events. Profile service: The profile service is concerned with managing service requestors preferences and data which may not be directly consumed by the authorization service. Privacy service: The privacy service is primarily concerned with the policy driven classification of personally identifiable information (PII). VO Policy service: The VO policy service is concerned with the management of policies. …
Interaction with other Grid Services l All Grid services layered on Security Services u All interactions are subject to policy enforcement l Grid Security Services leverage other Services u Use of registries/databases/QoS/discovery/migration/ meta-data-publication/fail-over/mirroring/provisioning/etc. l Security Policy derived from higher level agreements u Enforcement is means to meet business objectives l New agreements subject to governing security policy u existing access restriction override any new agreement Security Services can not be seen in isolation!
GT 4 (3.9.2) Existing Features l Authentication u GSI Secure Message l Based on earlier WS-Security draft l Support for signing and encrypting using X.509 certificates and X.509 Proxy Certificates l Per message u GSI Secure Conversation l Based on proprietary protocol (predates WS- SecureConversation) l GSSAPI u SSL + delegation + proxy cetificates u (Kerberos) l Session based
GT 4 (3.9.2) Existing Features l Authorization u Host u Self u Identity u Gridmap u Custom
GT 4 Plans-Authentication l Move to WSS4J u Web Services Security 1.0 u WS-I Basic Security Profile u Support for Username/Password l Move to WS-Trust/WS-SecureConversation u Make GSI-Secure Conversation compliant with latest drafts l (Introduce secure Username/Password session protocol (based on AuthA)) l (https – XML Security performance…)
GT 4 Plans - Delegation l Delegation Service u Using WSRF l Delegated credentials modeled as resources l Lifetime management using WS-ResourceLifetime u Allows decoupling of delegation from authentication u No problem with WS-I Basic Security Profile u Pushes delegation handling to application level l Requires modification of application protocol
GT 4 Plans - Authorization l CAS WSRF port l Integration of new authorization framework developed at KTH u XACML engine u Management interface u Chaining of authorization decisions u Per method granularity
GT 4 Plans – Authorization (cont.) l Port of SAML authorization callout u Based on work in OGSA Authz WG u Requires schema for resource id l CAS enabled grid services u Integration of SAML based CAS assertions with XACML engine u Will lead to generic SAML/XACML delegation of rights framework
GT 4 Plans - MyProxy l Inclusion of MyProxy u Non-WS to begin with